Skip to content

Supply chain

Production Fontana deployments consume pre-built OCI images and a verified deploy bundle from your registry (typically GHCR). Application source code is compiled inside images in CI; production hosts pull artifacts only. That boundary supports SOC 2-aligned change management and vulnerability management without running build toolchains on customer data planes.

CI (GitHub Actions, release branch only)
→ OCI images (immutable sha-<git> tags)
→ Deploy bundle (Helm chart, fontana CLI, rendered values, SHA256SUMS)
→ Trivy CRITICAL gate
→ Host pulls bundle + images via fontana CLI

Release artifacts are built only from the protected release branch after pull-request review and required status checks pass; feature-branch pushes run tests without publishing images or bundles.

ControlWhat you get
Immutable image tagsDeploys reference sha-<git> tags; branch tags are convenience only
Bundle checksumsSHA256SUMS in the deploy bundle; installer verifies before activating a release
Pinned upgradesfontana tenant upgrade applies a specific bundle version; automatic snapshot before upgrade
Rollbackfontana rollback <tenant> <snapshot-id> restores data and release state
Artifact-only production hostsProduction hosts pull digest-pinned OCI images and the deploy bundle; no git or build toolchain on the data plane

CI runs Trivy against built images. CRITICAL findings fail the pipeline until remediated or explicitly waived under your change process. That gate is part of the SOC 2-aligned supply-chain control set documented for diligence.

Source dependencies are gated on the same pipeline:

  • pnpm audit fails the build on any high or critical advisory in the dependency tree
  • CodeQL static analysis runs on every push and pull request to the release branch
  • Dependabot keeps lockfile and GitHub Actions dependencies current
  • A public-function inventory diff fails the build when the backend API surface changes without a reviewed baseline update
  • Manual pinned releases on production hosts reference immutable sha-<git> tags
  • Automatic full-stack snapshot before each tenant upgrade (release + data volumes)
  • Terraform for host provisioning; durable platform changes reconcile through fontana apply and infrastructure as code

Snapshot history on the host plus immutable GHCR tags form the deploy audit trail alongside application security audit in ImmuDB.